Preventing security breaches within computing systems has become of paramount importance with the increasing interconnection of computing systems via the Internet and other networks. Viruses, Trojan horses, worms, and other types of malicious software can infect computing systems, causing them to perform inefficiently and/or maliciously. Such malicious software is often received through web-browsing programs when browsing web sites on the Internet, through email programs when receiving new email, and through instant messaging programs when receiving new instant messages (i.e., with the software being received as a file attachment to an instant message), among other ways.
Existing approaches to preventing security breaches typically focus on detecting whether malicious software has been received while performing the activities indicated in the previous paragraph. For example, fingerprinting or signature-detecting techniques examine computer program code, or software, that has been received and compares it to hexadecimal fingerprints or signatures to determine whether the computer program software is infected with any malicious elements (i.e., malicious software), thereby making the computer program software malicious and vulnerable. However, such techniques can only detect known malicious software, and not new malicious software, requiring continual updating of the fingerprint or signature database to be effective.
Another example is a heuristic approach, which attempts to detect whether computer program software that has been received is infected with any malicious software by scrutinizing various aspects of the software, and determining the likelihood that the computer program software has been infected with malicious software. This approach can be relatively slow, and results in decreasing the performance of a computing system. Furthermore, the heuristic approach can yield false negatives (indicating that computer program software is not infected with malicious software when in fact it is) or false positives (indicating that computer program software is infected with malicious software when in fact it is not).
A third example is an integrity-checking approach, which compares a calculated checksum of computer program software that has been received against a known checksum for the software. If the calculated checksum disagrees with the known checksum, then it is concluded that the computer program software has been modified, potentially due to infection with malicious software. However, integrity checking presumes that a known checksum is available for the computer program software in question, which is not always the case. There is therefore a need to ameliorate one or more of the above mentioned disadvantages associated with the prior art.